New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy from ECR in staging #276
Conversation
@@ -6,6 +6,7 @@ applications: | |||
instances: 0 | |||
docker: | |||
image: ((image)) | |||
username: AKIAWNYQRJFGHBAWM5MI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we put this in a circleci env variable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can, we don't have to. Per prior, unrelated convos in Slack, the account key is NOT secret
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok ... good to know ... ideally, i'd prefer it in circleci env vars
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's also part of the ECR repository URL so I'd have to string concat with the env var in multiple places as well... no it doesn't, I was thinking of the account id...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another reason for leaving it is I can still use the same deploy script since I don't need to pass it as an extra CL parameter. That said, this won't be an issue when both staging and prod are updated, let's revisit.
Updated to use ECR for staging.
A single ECR "repository" named
federalist/garden-build
has been configured in GovCloudus-gov-west-1
(441879447884) to store our images. For now, I am tagging the imagesstaging
andproduction
(eventually) for the appropriate environments to minimize the disruption to our current workflow. At some point, we can modify our process to version the images and perhaps turn on "tag immutability" on the ECR "repository" to enforce this which allow us to ensure that the same image tested in staging is the one actually promoted to production.I have configured individual and attempted least-privileged read (
federalist-ecr-read
) and write (federalist-ecr-write
) IAM users/policies that have appropriate access to ALL ECR "repositories" for this account (we currently only have the one). The "read" user is used when deploying the image to cloud.gov which is apparently cached by the platform so the image can be refetched during restarts and restages.